Contents

• Purpose
  • Guide to this document
  • Scope and assumptions
  • Overview of the integration process
• Acquiring LDAP information
• Creating the Flow Production Tracking LDAP user
• Configuring Flow Production Tracking to Use Your LDAP Server
• Testing against your existing LDAP infrastructure
• Creating LDAP-integrated Flow Production Tracking users
• Integrating a pre-existing Flow Production Tracking user base

Purpose

This article contains information for Flow Production Tracking System Administrator who wants to integrate Flow Production Tracking with their LDAP service.

This document intends to outline the steps necessary to integrate Flow Production Tracking with an existing LDAP infrastructure. As such it will be as detailed as possible.

Guide to this document

This document may make heavy use of 'literals', or segments of code and/or terminal session commands. These will always be encapsulated inside of a green box for ease of viewing.

All terminal-based commands are preceded by a ”#” to denote a shell command followed by the actual command itself. In almost all cases, the last bits of output from a given command will be included following three ”.”s so that the reader will understand what to expect as output from the terminal. For example:

#  
# sudo setup.rb  
.  
.  
.  
...done.  
No library stubs found. 

There is actually a lot more terminal output following sudo setup.rb, but for brevity's sake it was supplanted with three ”.”s, and the last two lines of output were included.

Scope and assumptions

The scope of this document is intended to cover the general process of LDAP integration with ShoGrid. As there are many and varied flavors of LDAP available to the discerning public, this document will be as general as possible with regards to LDAP type while retaining enough information to integrate any potential LDAP environment.

This document assumes the following:

• The integrator has, or is able to acquire, a full LDAP dump of the existing target infrastructure, up to and including child nodes.
• The integrator has enough rights, or is able to acquire the rights, to create fully-authenticated LDAP users.
• The integrator is comfortable with editing .yml files in a text editor.
• The integrator comprehends basic unix-like terminal commands and can navigate a directory structure.

Given the assumptions above, it is fairly reasonable to expect that the integration should be done not by standard users, but by IT personnel or personnel familiar with IT processes for their organization.

Overview of the integration process

The integration process is fairly simple, provided the requisite LDAP information is readily available, there are no existing users of Flow Production Tracking beyond a few administrative users (see Integrating a Pre-existing Flow Production Tracking User Base, below), and existing security policies on the target server do not prevent the required egress and lookup access needed.

This integration process can be summed up with the following high-level steps. A segment of the document will be devoted to each step:

• Acquiring LDAP Information
• Creating the Flow Production Tracking LDAP User
• Configuring Flow Production Tracking to use an LDAP Server Temporarily
• Testing Against an External LDAP Server
• Configuring Your LDAP yml File
• Testing Against Your Existing LDAP Infrastructure
• Committing the Flow Production Tracking Application to use LDAP Authentication
• Creating LDAP-Integrated Flow Production Tracking Users

There will also be a segment below devoted to integrating a pre-existing Flow Production Tracking user base into an LDAP infrastructure (new or existing).

Acquiring LDAP information

There are as many ways to acquire LDAP information (dumps) as there are ways to skin a cat. It is not within the scope of this document to instruct on acquiring this information, but Google always helps.

Note that LDAP integration requires a Flow Production Tracking LDAP username, container, and password. You can skip those attributes during the information gathering process and fill them in later, once the Flow Production Tracking LDAP user has been created (see below): 

 :auth:
  :method: :{LDAP_AUTH_METHOD - simple, SASL, GSSAPI, etc.}
  :username: 'cn={SHOTGUN_LDAP_USER_LOGIN},cn={LDAP_CONTAINER},dc={DOMAIN_NAME},dc={TLD},dc={ADDITIONAL_TLD}'
  :password: '{SHOTGUN_LDAP_USER_PASSWORD}'  
:host: {LDAP_HOST}
:port: {LDAP_PORT}
:base: 'cn={CONTAINER},dc={DOMAIN},dc={TLD},dc={ADDITIONAL_TLD}'
:user_login_attribute: {ATTRIB_USED_FOR_LOGIN - SAMAccountName, cn, etc.}
:user_firstname_attribute: {LDAP_FIRSTNAME_ATTRIBUTE - givenname, etc.} 

A sample Net LDAP information gathering for the same UK-based company above might look like this:

:auth:
  :method: :simple
  :username: 'cn={DETERMINE_LATER},cn={DETERMINE_LATER},dc=fictitious-company,dc=co,dc=uk'
  :password: '{DETERMINE_LATER}'
:host: ldap.fictitious-company.co.uk
:port: 389
:base: 'cn=users,dc=fictitious-company,dc=co,dc=uk'
:user_login_attribute: SAMAccountName 
:user_firstname_attribute: givenname  

Creating the Flow Production Tracking LDAP user

Now the Flow Production Tracking LDAP user should be created. This user is created *in* LDAP, and should have the ability to query the LDAP infrastructure.

Once the Flow Production Tracking LDAP user is created, the Net LDAP information gathering step from above should be updated with the Flow Production Tracking LDAP user's pertinent information. Assume that the user 'Shotgun_Net_LDAP' was created under the container 'users', with password 'thisismyinsecurepassword', the information gathering step for Fictitious Company would be updated as follows: 

:auth:
  :method: :simple
  :username: 'cn=Shotgun_Net_LDAP,cn=users,dc=fictitious-company,dc=co,dc=uk'
  :password: 'thisismyinsecurepassword'
:host: ldap.fictitious-company.co.uk
:port: 389
:base: 'cn=users,dc=fictitious-company,dc=co,dc=uk'
:user_login_attribute: SAMAccountName 
:user_firstname_attribute: givenname  

Configuring Flow Production Tracking to Use Your LDAP Server

Under "Site Preferences > Authentication" select LDAP Authentication and copy the appropriate values based on the Acquiring LDAP Attribute Information step.

An example of YAML format configuration for “Fictitious Company” would look as follows (the following can be out-dated, make sure you use a copy of the ldap configuration, as explained above):

:auth:
  :method: :simple
  :username: 'cn=Shotgun_Net_LDAP,cn=users,cn=fictitious-company,dc=co,dc=uk'
  :password: 'thisismyinsecurepassword'  
:host: ldap.fictitious-company.co.uk
:port: 389
:base: 'cn=users,dc=fictitious,dc=co,dc=uk'
:user_login_attribute: SAMAccountName
:user_firstname_attribute: givenname 

Saving the preference change will activate LDAP authentication in Flow Production Tracking.

Testing against your existing LDAP infrastructure

To test against the your existing LDAP infrastructure, simply follow the same steps you took to test the external server:

Log in to the Flow Production Tracking application as an Admin-level user, then modify the URL to http://{your_Flow Production Tracking_url}/preferences/ldap_test.

On the “Client lib implementation” drop-down, select the type of LDAP infrastructure you wish to test (activeldap or net/ldap).

Enter a valid LDAP user (you can use the Flow Production Tracking LDAP User configured earlier) into the “login” field, enter their password into the “password” field, and click the “Test Login” button. Ensure that the test gives a sucessful result back before progressing.

If LDAP authentication is configured but cannot log in to Flow Production Tracking, you can turn off LDAP and revert back to the default authentication by running:

 sudo docker-compose run --rm app rake admin:disable_ldap_auth 

Creating LDAP-integrated Flow Production Tracking users

Creating LDAP-integrated Flow Production Tracking users is very simple. If a user is in LDAP but not in Flow Production Tracking, they can attempt to log in to Flow Production Tracking and their user account will automatically be created in the Flow Production Tracking application. Easy!

Don't forget to create an LDAP user for the Flow Production Tracking Staff (typically shotgun_admin user). The “Admin” box should be checked in order that this user can be used to support Flow Production Tracking by remote Flow Production Tracking staff.

Integrating a pre-existing Flow Production Tracking user base

Integrating a pre-existing Flow Production Tracking user base into an existing LDAP infrastructure is a little trickier. The keys to remember here are:

• The login property of the Flow Production Tracking user must match the LDAP login of the LDAP user
• The password used to login to Flow Production Tracking after the switch will likely be different (it will now be the same as the LDAP password). It's important to let users know that this switch is going to happen.
• The first name, last name, and email address for the Flow Production Tracking user will be overwritten on each successful login by the values in LDAP, so users info should be corrent in LDAP.

As long as the login values match exactly, the LDAP user will successfully be able to log in to Flow Production Tracking without losing any of their default settings, views, pages, etc. If there is a mismatch between the login names, then a new user will be created with the LDAP-based login and password, so the user would then exist twice in Flow Production Tracking with different logins. Please exercise extreme caution when integrating pre-existing user bases.